Return-Path: <users-return-29136-archive-asf-public=cust-asf.ponee.io@cloudstack.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 228C3200D36
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Mon,  6 Nov 2017 13:10:54 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 20FB4160BEC; Mon,  6 Nov 2017 12:10:54 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 652791609E0
	for <archive-asf-public@cust-asf.ponee.io>; Mon,  6 Nov 2017 13:10:53 +0100 (CET)
Received: (qmail 49694 invoked by uid 500); 6 Nov 2017 12:10:52 -0000
Mailing-List: contact users-help@cloudstack.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@cloudstack.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@cloudstack.apache.org>
List-Post: <mailto:users@cloudstack.apache.org>
List-Id: <users.cloudstack.apache.org>
Reply-To: users@cloudstack.apache.org
Delivered-To: mailing list users@cloudstack.apache.org
Received: (qmail 49672 invoked by uid 99); 6 Nov 2017 12:10:51 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 06 Nov 2017 12:10:51 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 04082180713;
	Mon,  6 Nov 2017 12:10:51 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -0.102
X-Spam-Level: 
X-Spam-Status: No, score=-0.102 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=disabled
Authentication-Results: spamd3-us-west.apache.org (amavisd-new);
	dkim=pass (1024-bit key) header.d=li.nux.ro
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024)
	with ESMTP id pOIow_29J8eB; Mon,  6 Nov 2017 12:10:48 +0000 (UTC)
Received: from mailserver.lastdot.org (mailserver.lastdot.org [31.193.175.196])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 13ABA5FDCE;
	Mon,  6 Nov 2017 12:10:47 +0000 (UTC)
Received: from localhost (localhost [IPv6:::1])
	by mailserver.lastdot.org (Postfix) with ESMTP id 70BFBA3A0E;
	Mon,  6 Nov 2017 12:10:40 +0000 (GMT)
Received: from mailserver.lastdot.org ([IPv6:::1])
	by localhost (mailserver.lastdot.org [IPv6:::1]) (amavisd-new, port 10032)
	with ESMTP id GFkf97kbiSvP; Mon,  6 Nov 2017 12:10:39 +0000 (GMT)
Received: from localhost (localhost [IPv6:::1])
	by mailserver.lastdot.org (Postfix) with ESMTP id 1DDEBA3A0F;
	Mon,  6 Nov 2017 12:10:39 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.10.3 mailserver.lastdot.org 1DDEBA3A0F
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=li.nux.ro;
	s=C605E3A6-F3C6-11E3-AEB0-DFF9218DCAC4; t=1509970239;
	bh=ivEE0sCuR4+OhSl+zx77m/p+nHo42IviB1TYbRpB7v0=;
	h=Date:From:To:Message-ID:MIME-Version;
	b=SS1/FG+QWT8an0tyYcwhW3HOZfrWodS4i2zvXBE+wrdlYhqkIqVmLgl15DVOTl8Pt
	 KvoMdeDcvJoCYzE1oNus/1dTbyhXY2FMZjkoCQp2YNDLXfTcUbDUlO9sZ/mDB2QmDR
	 71zW0guyaFT3WDWo/4y0Qv7Z2xDTNQAL4eYAR4ts=
X-Virus-Scanned: amavisd-new at mailserver.lastdot.org
Received: from mailserver.lastdot.org ([IPv6:::1])
	by localhost (mailserver.lastdot.org [IPv6:::1]) (amavisd-new, port 10026)
	with ESMTP id g4tOOcVcFAkN; Mon,  6 Nov 2017 12:10:39 +0000 (GMT)
Received: from mailserver.lastdot.org (mailserver.lastdot.org [31.193.175.196])
	by mailserver.lastdot.org (Postfix) with ESMTP id D847BA3A0E;
	Mon,  6 Nov 2017 12:10:38 +0000 (GMT)
Date: Mon, 6 Nov 2017 12:10:38 +0000 (GMT)
From: Nux! <nux@li.nux.ro>
To: users <users@cloudstack.apache.org>
Cc: dev <dev@cloudstack.apache.org>
Message-ID: <270992313.1239.1509970237965.JavaMail.zimbra@li.nux.ro>
In-Reply-To: <CAMvtBPMCKB1KJeYw4a-tY_XHNYj+SR08v_1SEz5VsYQpzhyyuQ@mail.gmail.com>
References: <1750999994.6369.1509476065042.JavaMail.zimbra@li.nux.ro> <CAMvtBPMCKB1KJeYw4a-tY_XHNYj+SR08v_1SEz5VsYQpzhyyuQ@mail.gmail.com>
Subject: Re: HTTPS LB and x-forwarded-for
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Mailer: Zimbra 8.7.0_GA_1659 (ZimbraWebClient - FF57 (Linux)/8.7.0_GA_1659)
Thread-Topic: HTTPS LB and x-forwarded-for
Thread-Index: iMQHEtIF9ruD297yOq1zXcV6c5p/yA==
archived-at: Mon, 06 Nov 2017 12:10:54 -0000

Thanks Andrija,

LB outside of the VR sounds like a good idea. An appliance based on, say cl=
oud-init + ansible and so on could do the trick; alas it'd need to be outsi=
de ACS.
I guess as users we could maybe come up with a spec for an improvement, at =
least we'd have something the devs could look at whenever it is possible.

Regards,
Lucian

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

----- Original Message -----
> From: "Andrija Panic" <andrija.panic@gmail.com>
> To: "dev" <dev@cloudstack.apache.org>
> Cc: "users" <users@cloudstack.apache.org>
> Sent: Thursday, 2 November, 2017 23:21:37
> Subject: Re: HTTPS LB and x-forwarded-for

> We used to make some special stuff for one of the clients, where all LB
> configuration work is done from outside of the ACS, i.e. python script to
> feed/configure VR - install latest haproxy 1.5.x for transparent proxy,
> since client insisted on SSL termination done on backend web SSL servers.=
...
> Not good idea, that is all I can say (custom configuration thing) - but t=
he
> LB setup is actually good - transparent mode haproxy, works on TCP level,
> so you can see "real client IP" on the backend servers (which must use VR
> as the default gtw, as per default, so the whole setup works properly).
>=20
> I'm still looking forward to see some special support of LB inside VR via
> ACS - proper LB setup inside VR via GUI/API -  i.e. to enable LB
> provisioning SCRIPT (bash, or whatever),  where all needed
> install+configure can be done from client side  - otherwise covering all
> user cases, with proper HTTP checks and similar....is impossible to do
> IMHO.
>=20
> Some other clients, actually have internal FW appliance (i.e. multihomed
> VM, acting as gtw for all VMs in all networks), and haproxy instaled on
> this device (with NAT configured from VR to this internal FW/VM, so remot=
e
> IP can be seen properly) - this setup is fully under customer control, an=
d
> can provide any kind of special haproxy config...
>=20
>=20
>=20
>=20
>=20
>=20
> On 31 October 2017 at 19:54, Nux! <nux@li.nux.ro> wrote:
>=20
>> Hello,
>>
>> Of the people running an LB (VR) with https backends, how do you deal wi=
th
>> the lack of x-forwarded-for since for port 443 there's just simple TCP
>> balancing?
>>
>> Has anyone thought of terminating SSL in the VR instead? Ideas?
>>
>> Cheers
>>
>> --
>> Sent from the Delta quadrant using Borg technology!
>>
>> Nux!
>> www.nux.ro
>>
>=20
>=20
>=20
> --
>=20
> Andrija Pani=C4=87